View metadata, citation and similar papers at core.ac.uk brought to you by CORE

provided by Dagstuhl Research Online Publication Server

Trade-Offs in Distributed Interactive Proofs Pierluigi Crescenzi IRIF – CNRS and Université de Paris, France [email protected] Pierre Fraigniaud IRIF – CNRS and Université de Paris, France [email protected] Ami Paz IRIF – CNRS and Université de Paris, France Faculty of Computer Science, University of Vienna, Austria [email protected]

Abstract The study of interactive proofs in the context of distributed network computing is a novel topic, recently introduced by Kol, Oshman, and Saxena [PODC 2018]. In the spirit of sequential interactive proofs theory, we study the power of distributed interactive proofs. This is achieved via a series of results establishing trade-offs between various parameters impacting the power of interactive proofs, including the number of interactions, the certificate size, the communication complexity, and the form of randomness used. Our results also connect distributed interactive proofs with the established field of distributed verification. In general, our results contribute to providing structure to the landscape of distributed interactive proofs.

2012 ACM Subject Classification Theory of computation → Distributed computing models; Theory of computation → Interactive proof systems; Theory of computation → Distributed algorithms

Keywords and phrases Distributed interactive proofs, Distributed verification

Digital Object Identifier 10.4230/LIPIcs.DISC.2019.13

Related Version A full version of the paper is available at https://arxiv.org/abs/1908.03363.

Funding Pierre Fraigniaud: Additional support from the INRIA project GANG, and from the ANR project DESCARTES. Ami Paz: Supported by the Fondation des Sciences Mathématiques de Paris.

Acknowledgements The authors are thankful to Gianlorenzo D’Angelo for fruitful discussions on the topic of this paper, and to Amir Yehudayoff for discussion on his work [27].

1 Introduction

This paper is concerned with distributed network computing, in which n processing nodes occupy the n vertices of a connected simple graph G, and communicate through the edges of G. In this context, distributed decision [25] refers to the task in which the nodes have to collectively decide whether the network G satisfies some given graph property, which may refer also to input labels given to the nodes (basic examples of such tasks are whether the network is acyclic or whether the network is properly colored). If the property is satisfied then all nodes must accept, otherwise at least one node must reject. Distributed decision finds immediate applications to distributed fault-tolerant computing, in which the nodes must check whether the current network configuration is in a legal state with respect to some Boolean predicate [22]. (If this is not the case, the rejecting node(s) may raise an alarm or launch a recovery procedure.)

© Pierluigi Crescenzi, Pierre Fraigniaud, and Ami Paz; licensed under Creative Commons License CC-BY 33rd International Symposium on Distributed Computing (DISC 2019). Editor: Jukka Suomela; Article No. 13; pp. 13:1–13:17 Leibniz International Proceedings in Informatics Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany 13:2 Trade-Offs in Distributed Interactive Proofs

While some properties (e.g., whether a given coloring is proper) are locally decidable (LD) by exchanging information between neighbors only, other properties are not (e.g., whether the network is acyclic, or whether a given set of pointers forms a spanning tree of the network). As a remedy, the notion of proof-labeling scheme (PLS) was introduced [22], and variants were considered, including non-deterministic local decision (NLD) [14], and locally checkable proofs (LCP) [18]. All these settings assume the existence of a prover assigning certificates to the nodes, and a distributed verifier in charge of verifying that these certificates form a distributed proof that the network satisfies some given property. For instance, acyclicness can be certified by a prover picking one arbitrary node u, and assigning to each node v a certificate c(v) equal its distance to u. The distributed verifier running at every node v checks that v has one neighbor w satisfying c(w) = c(v) − 1, and all its other neighbors w0 satisfying c(w0) = c(v) + 1. If the network contains a cycle, then these equalities will be violated in at least one node. Note that the prover is not necessarily an abstract entity, as an algorithm constructing some distributed data structure (e.g., a spanning tree) may construct in parallel a proof that this data structure is correct. Interestingly, all (Turing decidable) graph properties can be certified by PLS and LCP with O(n2)-bits certificates [22], and this is tight [18]– for instance, symmetry1 (Sym) was shown to require Ω(n2)-bit certificates. However, not only such universal certification requires high space complexity at the nodes for storing large certificates, it also requires high communication complexity between neighbors for verifying the correctness of these certificates. Hence, the concern is minimizing the size of the certificates for specific graph properties, e.g., minimum-weight spanning trees (MST) [21]. Recently, the notion of randomized proof-labeling schemes (RPLS) was introduced [15]. RPLS assumes that the distributed verifier is randomized, and the global verdict provided by the nodes about the correctness of the network configuration should hold with probability at least 2/3. Such randomized distributed verification schemes were proven to be very efficient in terms of communication complexity (with O(log n)-bit messages exchanged between neighbors), but this often holds at the cost of actually increasing the size of the certificates provided by the prover. Another recent direction for reducing the certificate size introduces a local hierarchy of complexity classes defined by alternating quantifiers (similarly to the polynomial hierar- chy [28]) for local decision [11]. Interestingly, many properties requiring Ω(n2)-bit certificates with a locally checkable proof stand at the bottom levels of this hierarchy, with O(log n)-bit certificates. This is for instance the case of non 3-colorability (3Col), which stands at the second level of the hierarchy, and Sym, which stands at the third level of the hierarchy. More generally, all monadic second order graph properties belong to this hierarchy with O(log n)-bit certificates. However, it is not clear how to implement the protocols resulting from this hierarchy. Even more recently, a very original and innovative approach was adopted [20, 24], bearing similarities with the local hierarchy but perhaps offering more algorithmic flavor. This approach considers distributed interactive proofs. Such proofs consist of a constant number of interactions between a centralized prover M (a.k.a. Merlin) and a randomized distributed verifier A (a.k.a. Arthur). For instance, a dAM protocol is a protocol with two interactions: Arthur queries Merlin by sending a random string, and Merlin replies to this query by sending a certificate. Similarly, a dMAM protocol involves three interactions: Merlin provides a

1 G is symmetric if G has a non trivial automorphism, i.e., a one-to-one mapping from the set of nodes to itself preserving edges, and distinct from the identity map. P. Crescenzi, P. Fraigniaud, and A. Paz 13:3 certificate to Arthur, then Arthur queries Merlin by sending a random string, and finally Merlin replies to Arthur’s query by sending another certificate. This series of interactions is followed by a phase of distributed verification performed between every node and its neighbors, which may be either deterministic or randomized. Although the interactive model seems weaker than the alternation of quantifiers in the local hierarchy, many properties requiring Ω(n2)-bits certificates with a locally checkable proof admit an Arthur-Merlin protocol with small certificates, and very few interactions. For instance, this is the case of Sym that admits a dMAM protocol with O(log n)-bit certificates, and a dAM protocol with O(n log n)-bit certificates [20] (on the other hand, any dAM protocol for Sym requires Ω(log log n)-bit certificates [20]). It is also known that non symmetry (Sym) can be decided by a dAMAM protocol with O(log n)-bit certificates [24]. These results raise several interesting questions, such as:

1. Are there ways to establish trade-offs between space complexity (i.e., the size of the certificates) and communication complexity (i.e., the size of the messages exchanged between nodes)? The dMA protocols [20] as well as the RPLS protocols [15] enable to gain a lot in terms of message complexity, but at the cost of still high space complexity. Would it be possible to compromise between these two complexities? In particular, would it be possible to reduce the certificate size at the cost of increasing the communication complexity? 2. The theory of distributed decision has somehow restricted itself to distributed randomness, in the sense that each node has only access to a private source of random coins. These coins are public to the prover, but remain private to the other nodes. Shared randomness is known to be stronger than private randomness for communication complexity, as witnessed by, e.g., deciding equality [23]. How much shared randomness could help in the context of distributed decision? 3. Last but not least, are there general reduction theorems between Arthur-Merlin classes for trading the number of interactions with the certificate size? In the centralized setting, it is known that AM[k] = AM[2] for any k ≥ 2, but it is not known whether a similar claim holds in the distributed setting [20]. Also, in the centralized setting the Sipser–Lautemann theorem tells us that MA ⊆ Σ2 ∩ Π2 and MA ⊆ AM ⊆ Π2, but it is not known whether the distributed Arthur-Merlin classes stand so low in the local alternating hierarchy too.

Our Results In this paper, we study the power of distributed interactive proofs. This is achieved via a series of results establishing trade-offs between various parameters impacting the power of interactive proofs, including the number of interactions, the certificate size, the communication complexity, and the form of randomness used. Our results also connect distributed interactive proofs with the established field of distributed verification. We address the above three questions as follows. For the first question, we show how to apply techniques developed in the framework of multi-party communication complexity to get trade-offs between space and communication for the classical triangle detection problem. For the second question, we show that shared randomness helps significantly, enabling to exponentially reduce the communication complexity while preserving the space complexity for important problems such as spanning tree, and a vast class of optimization problems, including, for example, maximum independent set and minimum dominating set. For the third question, we give a general technique for reducing the number of interactions at the cost of increasing the certificate and message size.

D I S C 2 0 1 9 13:4 Trade-Offs in Distributed Interactive Proofs

More specifically, for the first question, we explore the trade-off of space vs. communication, and establish that for every α there exists a Merlin-Arthur protocol for triangle-freeness, which uses O(log n) bits of shared randomness, Oe(n/α)-bit certificates and Oe(α)-bit messages between nodes (Theorem 4). To our knowledge, this is the first example of a decision task for which one can trade communication for space. In addition, the proof reveals an interesting connection between dMA and communication complexity with a referee. Note that, for √ α = n, we obtain a distributed Merlin-Arthur protocol for triangle-freeness with message √ and space complexities Oe( n) bits. In contrast,√ any proof-labeling scheme for triangle- freeness must have certificate size at least n/eO( log n) bits (Proposition 5). A similar tradeoff can be obtained when using distributed randomness, though with higher space complexity. Regarding the second question, we explore the significance of having access to shared randomness. We show that, for any minimization problem π in graphs whose admissibility can be decided locally, there exists a Merlin-Arthur protocol for certifying the existence of a solution whose cost is at most k, using O(log n) bits of shared randomness, with O(log n)- bit certificates and O(log log n)-bit messages between nodes (see Theorem 6). The same result holds for maximization problems whose admissibility can be decided locally. Note that this class of problems includes, for example, maximum independent set, minimum dominating set, and minimum vertex cover (potentially weighted). This exponentially improves the communication complexity of locally checkable proofs for such problems. The same communication complexity could be obtained using randomized proof-labeling schemes, but at the cost of increasing the certificate size to up to O(n log n) bits. As another interesting result in the context of exploring the significance of having access to shared randomness, we show that even shared randomness remains limited both in terms of the certificate size and of the amount of communication. We show that every Arthur-Merlin protocol for Sym, and every Arthur-Merlin protocol for Sym must have both certificate size and message size Ω(log log n) bits, even with shared randomness (see Theorem 10). Interestingly, for the class of graphs used in the proof of this latter result, there is a Merlin-Arthur protocol with certificates and messages of constant length. This shows that the inclusion MA ⊆ AM which holds in the centralized setting does not hold in the distributed setting. Finally, we consider general reductions within the Arthur-Merlin hierarchy, and compare the power of this hierarchy to the power of proof-labeling schemes with certificates of linear size. We show that, for every σ and γ, any graph property verifiable with an Arthur- Merlin protocol with 3 or 4 interactions (dMAM or dAMAM) using σ-bit certificates and γ-bit messages can also be verified by an Arthur-Merlin (dAM) protocol using O(nσ2)-bit certificates and O(nγσ)-bit messages (see Theorem 11 and Corollary 12). Although the linear blowup in terms of both certificate size and message complexity may seem huge at a first glance, it fits (up to logarithmic factors) with the different results obtained previously [20, 24] regarding Sym and graph non-isomorphism (Iso). Finally, we compare the power of Arthur-Merlin protocols with an arbitrarily large number of interactions with the power of proof-labeling schemes. We show that there exists a graph property admitting a proof-labeling scheme with certificates and messages on O(n) bits, that cannot be solved by an Arthur-Merlin protocol with o(n)-bit certificates, for any fixed number k ≥ 0 of interactions between Arthur and Merlin, even using shared randomness, and even with messages of unbounded size (see Theorem 14). This latter result demonstrates that, in general, one cannot trade the number of interactions between Merlin and Arthur for reducing the certificate size, at least for certificates of linear size. Most of our results are stated by assuming that nodes have access to shared randomness. However, as all our protocols are local, all our 1-round protocols can be simulated by 2-round protocols using distributed randomness. In general, our results contribute to providing structure to the landscape of distributed interactive proofs. P. Crescenzi, P. Fraigniaud, and A. Paz 13:5

Related Work Local decision (LD) and the central notion of locally-checkable labellings were introduced and thoroughly studied in the 90s [25]. Local verification was introduced fifteen years later [22], through the original notion of proof-labeling schemes (PLS). Proof-labeling schemes find important applications to self-stabilization, but are subject to some restrictions (only certificates are exchanged between neighbors). These restrictions were lifted by considering the general notion of locally checkable proofs (LCP)[18]. By definition, we have LCP = Σ1LD (the same way NP = Σ1P). A third notion of distributed verification was introduced, by considering the class NLD [14]. NLD differs from Σ1LD in the fact that, in NLD, the certificates cannot depend on the identities given to the nodes. Randomized versions of local decision and local verification have been considered in the literature [15, 13, 14, 20]. A Merlin-Arthur (dMA) protocol is actually a randomized version of locally checkable proof (Σ1LD) that was previously studied [15]: Merlin provides each node with a certificate, and Arthur performs a randomized verification algorithm at each node. The benefit of using dMA over Σ1LD can be exponential in terms of communication complexity (i.e., of the size of the messages exchanged between neighbors), at the cost of a linear increase in space complexity (i.e., of the size of the certificates provided by Merlin) [15]. Very closely related to the line of work about interactive distributed proofs is the local S   hierarchy LH = k≥0 ΣkLD ∪ ΠkLD with certificates and messages of logarithmic size [11], extending the known logLCP class [18]. In particular, it is proved that Sym ∈ Σ3LD [11]. Also, it is easy to show that 3Col ∈ Π2LD. In contrast, placing Sym or 3Col in Σ1LD requires Ω(n2)-bit certificates [18]. The same hierarchy was later considered, but under the constraint that the certificates must not depend on the identifier assignment to the nodes. With O(n2)- bit certificates, this hierarchy collapses at the second level Π2LD [5]. (This is in contrast with the hierarchy in which certificates can depend on the node identifiers, which collapses at 2 the first level Σ1LD with O(n )-bit certificates.) Nevertheless, apart from the bottom levels, the hierarchies based on alternating quantifiers with O(log n)-bit certificates are essentially the same [5]. See the recent survey [10] for more results on distributed decision. This work is inspired by very recent achievements in the field of distributed interactive protocols [20, 24]. In addition to the aforementioned results regarding Sym and Sym, two versions of Iso (Given two sub-graphs G1 and G2 of G, G1 6∼ G2, that is, are G1 and G2 non-isomorphic?) were considered. For the easiest version, in which the input of each node v is formed by the two sets of neighbors of v in the two graphs G1 and G2, a dAMAM protocol with O(log n)-bit certificates for deciding G1 6∼ G2 was designed [24]. For the more complicated version, in which G1 = G (that is, G1 is the communication network) and the input of each node v is the set of neighbors of v in G2, a dAMAM protocol with O(n log n)-bit certificates for deciding G1 6∼ G2 was proposed [20], and an Arthur-Merlin protocol with a constant number of interactions and O(log n)-bit certificates, for deciding G1 6∼ G2, was successively designed [24]. Interestingly, this latter result is obtained via a general connection between efficient centralized computation (under various models) and the ability to design Arthur-Merlin protocols with a constant number of interactions between the prover and the verifier, using logarithmic-size certificates. We use a variety of techniques and results from the theory of communication complex- ity [23]. Specifically, we use an Arthur-Merlin style protocol for two-party disjointness [1], in a recent variant [2] that allows a trade-off between communication complexity and certificate size. We also use recent lower bounds for the equality and non-equality problems in the same setting [17]. Finally, we use multi-party communication protocol with a referee for the SumZero problem with bounded inputs [26], and with unbounded inputs [19].

D I S C 2 0 1 9 13:6 Trade-Offs in Distributed Interactive Proofs

v1 v2 G vn−1 vn v1 v2 G vn−1 vn

cj(v1) cj(vn) cj(v2) cj(vn−1) rj rj rj rj e Merlin |rj| = ρ(n) Merlin |cj(vi)| = σ(n) rj shared randomness (b) Merlin phase with space complexity σ at interaction j

e e e e

rj(v1) rj(v2) rj(vn−1) rj(vn)

m2→n−1

v1 v2 G vn−1 vn v1 v2 G vn−1 vn m2→1

Merlin |rj(vi)| = ρ(n) |mi→j| = γ(n) distributed randomness (c) Verification phase with communication complexity γ

(a) Arthur phase with random complexity ρ at interaction j

Figure 1 The three different phases of a distributed Arthur-Merlin protocol (the Arthur phase can make use of either shared or distributed randomness).

2 Model and Definitions

A network configuration is a triple (G, id, x) where G = (V,E) is a connected simple graph, id : V → {1, . . . , nc} for some constant c ≥ 1 is the identity one-to-one assignment to the nodes, and x : V → {0, 1}∗ is the input label assignment (i.e., the state of the node). A distributed language is a collection L of network configurations. Note that it may be the case that, for some language L, (G, id, x) ∈ L while (G, id0, x) ∈/ L for two different identity assignments id and id0. This typically occurs for languages where the label of a node refers to the identities of its neighbors, e.g., for encoding spanning trees. (Throughout the paper, we assume that all considered distributed languages are Turing-decidable). Distributed decision for L is the following task: given any network configuration (G, id, x), the nodes of G must collectively decide whether (G, id, x) ∈ L. If this is the case, then all nodes must accept, otherwise at least one node must reject (with certain probabilities, depending on the model). We consider interactive protocols for distributed decision [20]. A distributed interactive protocol P consists of a constant series of interactions between a prover called Merlin, and a verifier called Arthur (see Fig. 1 for a visual representation of such a protocol). The prover Merlin is centralized, and has unlimited computing power. It is aware of the whole network configuration (G, id, x) under consideration, but it cannot be trusted. The verifier Arthur is distributed, and has bounded knowledge, that is, at each node v, Arthur is initially aware solely of (id(v), x(v)), i.e., of its identity and its input label. In a distributed Arthur-Merlin interactive protocol performed on I = (G, id, x), whenever Arthur is the one that starts interacting, it picks a random string r1(v) at each node v of G (this random string might be private to each node, or the nodes may have access to shared randomness). Given the collection r1 of random strings selected by the nodes, Merlin provides ∗ ∗ every node v with a certificate c1(v) = p(v, I, r1), where p : {0, 1} → {0, 1} . At this point, Arthur picks another random string r2(v) at each node v. Then Merlin replies to each node v by sending a second certificate c2(v) = p(v, I, r1, r2), and so on. Whenever Merlin is the one that starts interacting, the process starts with Merlin constructing a binary string c0(v) = p(v, I) that it sends to every node v. These interactions proceed for a constant number P. Crescenzi, P. Fraigniaud, and A. Paz 13:7

k ≥ 0 of times, and Merlin interacts last, by sending cb k c(v) to every node v. A sequence 2   of interactions can then be summarized by a transcript π(I, p, r) = πv(I, p, r) , where v∈V   k r = r1, . . . , r k with ri = (ri(v))v∈V for i = 1,..., b c, and b 2 c 2   πv(I, p, r) = c0(v), r1(v), c1(v), . . . , r k (v), c k (v) b 2 c b 2 c with c0(v) = ∅ if Arthur starts the interactions. In other words, an Arthur-Merlin protocol with k interactions results in a transcript with c0(v) = ∅ if k is even, and with c0(v) equal to the first certificate provided by Merlin otherwise. The Arthur-Merlin protocol completes by performing a deterministic distributed verification algorithm v executed at each node. Specifically, Algorithm v proceeds as follows at every node v:

1. A message Mv,u destined for every neighboring node u of v is forged, and sent to u. This message may depend on the identity id(v), the input x(v), all random strings generated by Arthur at v, and all certificates received by v from Merlin. 2. Based on all the knowledge accumulated by v (i.e., its identity, its input label, the generated random strings, the certificates received from Merlin, and all the messages received from its neighbors), Algorithm v accepts or rejects at node v.

A distributed Arthur-Merlin protocol P thus consists of two consecutive stages: (1) inter- actions between the nodes and the prover p (Arthur-Merlin phases), and (2) communication among neighboring nodes (algorithm v). Note that, for the sake of simplifying the presenta- tion, and unifying the comparison with previous work, we restrict ourselves to verification algorithms v that perform in a single round. Performing more than one round enables to improve the complexity of verification protocols in some cases [12]. However, this does not conceptually change the nature of the protocol. For zero interactions (i.e., k = 0), a distributed Arthur-Merlin protocol simply consists in performing a (deterministic) decision algorithm at each node [22]. For one interaction (i.e., k = 1), a distributed Arthur-Merlin verification protocol is a (1-round) locally-checkable proof algorithm [18].

I Definition 1. The class dAM[k](σ, γ) is the class of languages L for which there exists a distributed Arthur-Merlin verification protocol with at most k ≥ 0 interactions between Arthur and Merlin, where Merlin provides certificates of at most σ ≥ 0 bits to the nodes, and the verification algorithm v exchanges messages of at most γ ≥ 0 bits between nodes, such that, for every configuration I = (G, id, x),

 2 (G, id, x) ∈ L ⇒ ∃p : Prr[v(π(I, p, r)) accepts at all nodes] ≥ /3; 2 (G, id, x) ∈/ L ⇒ ∀p : Prr[v(π(I, p, r)) rejects in at least one node] ≥ /3.

The definition of distributed Merlin-Arthur interactive protocols, and of dMA[k](σ, γ) is similar, apart from the fact that, as opposed to Arthur-Merlin protocols in which Merlin always interacts last, Arthur has one more “interaction” during which it picks a random bit- string r0(v) at every node v, which is used to perform a randomized verification algorithm v. Therefore, for k ≥ 1, a Merlin-Arthur protocol with k interactions can be defined as an Arthur-Merlin protocol with k − 1 interactions, but where the verification algorithm v is randomized. For zero interactions, a distributed Merlin-Arthur protocol simply consists in performing a (deterministic) decision algorithm at each node [22]. For one interaction, a distributed Merlin-Arthur protocol is a (1-round) randomized decision algorithm as studied previously [13]. For two interactions, a distributed Merlin-Arthur protocol is a (1-round) randomized locally-checkable proof algorithm, also as studied previously [15].

D I S C 2 0 1 9 13:8 Trade-Offs in Distributed Interactive Proofs

In the following, we may avoid mentioning the parameters σ and γ when they are clear from the context, or when they are respectively identical in the two terms of an equality. For small values of k ≥ 2, dAM[k] and dMA[k] are rewritten as an alternating sequence of As and Ms. For instance, dAM[2] = dAM, dMA[2] = dMA, dAM[3] = dMAM, dMA[3] = dAMA, and dAM[4] = dAMAM, and so on. For k ≤ 1, it follows from the definition 2 2 that dAM[0] = dMA[0] = LD. We also have dAM[1] = Σ1LD and dMA[1] = BPLD( /3, /3) where the class BPLD(p, q) is the distributed version of BPP [16], with p being the acceptance probability of the interactive protocol on legal instances, and q being the rejection probability of the protocol on illegal instances [13]. As a last example, dMA is the class of languages that can be decided by a randomized locally checkable proof, as studied previously [15]. As opposed to the sequential setting in which it is known that AM[k] = AM[2] for all k ≥ 2, it is not known whether such “collapse” occurs in the distributed setting. Therefore, we define S the Arthur-Merlin hierarchy as dAMH(σ, γ) = k≥0 dAM[k](σ, γ). That is, L ∈ dAMH(σ, γ) if and only if there exists k ≥ 0 such that L ∈ dAM[k](σ, γ).

Boosting the Success Probability

In classical, sequential randomized algorithm, the success probability constant 2/3 can be easily increased using repetitions. On the other hand, it was shown that this boosting technique is not applicable for randomized distributed decision algorithms in general [13], making the choice of constant significant when considering such settings. The inability of boosting in the distributed setting is due to the fact that, when repeating the algorithm on a “no” instance for several times, different nodes may reject in different repetitions, causing each node to sees very few rejections and decide on acceptance. Somewhat surprisingly, we can show that in the case of distributed Arthur-Merlin protocols (i.e., dAM[k] classes), parallel repetition is possible, and at a relatively low blowup in communication and certificates. This allows us to boost the success probability, as follows.

0 I Proposition 2. Let 1 > p > p > 1/2. If there exists an Arthur-Merlin verification protocol P with k ≥ 2 interactions that enables to verify a distributed language L with σ-bit certificates, γ-bit messages, and success probability p, then there exists an Arthur-Merlin verification protocol P0 with k interactions that enables to verify L with σ + O(log n)-bit certificates, messages on γ + O(log n) bits, and success probability p0.

Proof. Moving from success probability p to success probability p0 > p is achieved in a standard way, by merely repeating P a constant number of times (depending on p and p0), and adopting the majority of the outcomes. However, this cannot be done in a straightforward manner because, for a configuration (G, x, id) ∈/ L, it may be the case that the (at least one) node rejecting (G, x, id) is different at each repetition. Therefore, during the last interaction with the prover, Merlin provides every node with a local encoding of a spanning tree T enabling to count the number of executions of P resulting in at least one node rejecting. It is known that certificates of O(log n) bits suffice for certifying such a tree [22]. The root of the tree T accepts or rejects depending on whether the majority of executions of P accepted or rejected, respectively. J

3 Space vs. Communication

In this section, we study the trade-off between space and communication complexity for Merlin-Arthur interactive protocols. Specifically, we consider the classical triangle-freeness problem, and establish a trade-off between space and communication for this problem. Recall P. Crescenzi, P. Fraigniaud, and A. Paz 13:9 that a graph G = (V,E) is triangle-free if, for every three nodes u, v, w in V , either {u, v} ∈/ E, {u, w} ∈/ E, or {v, w} ∈/ E. We denote by ∆ the corresponding distributed language. free √ There is a recent deterministic distributed algorithm for triangle-freeness running in Oe( n) rounds in the congest model [7]. A general scheme for designing dMA protocol has also been proposed [15]. This scheme enables to reduce communication complexity to O(log n), at the cost of increasing the space complexity to O(n2). When more interactions are allowed, say a constant number k, a recent reduction [24] – from centralized small-space algorithms to our setting – implies a protocol with O(log n)-bit certificates and O(log n)-bit messages for the triangle-freeness problem, i.e., ∆free ∈ dMA[k](log n, log n) for some constant k > 1. In order to prove the trade-off between space and communication complexities for triangle- freeness, we first state the following result, which will be used at several places in the paper.

I Lemma 3. For any network of maximum degree d, there exists a proof-labeling scheme (and thus a Σ1LD protocol) with O(log n)-bit certificates providing each node v with the certified value n of the number of nodes, and a color c(v) ∈ {1,..., min{d2 + 1, n}} such that c forms a certified proper distance-2 coloring of the network.

Proof idea. The certification of the number of nodes can be done by using a rooted spanning tree and by counting nodes in the sub-trees. The certification of a proper distance-2 coloring can be done by assigning colors to nodes, with every node checking that all its neighbors have different colors, all different from its own color. J

Since triangle-freeness is a local property, nodes do not need to be represented by identifiers that are different throughout the entire network. Instead, identifiers resulting from a proper distance-2 coloring suffice. Therefore, using Lemma 3, we can assume that nodes are provided with identifiers in {1, . . . , n} such that id(u) 6= id(v) whenever the distance between u and v is at most 2.

I Theorem 4. For every α = O(n), there exists a Merlin-Arthur protocol for triangle-freeness, n using O(log n) bits of shared randomness, with O( α log n)-bit certificates and O(α log n)-bit n messages between nodes. In short ∆free ∈ dMA( α log n, α log n). Proof. We identify the space {1, . . . , n} of IDs with [n/α] × [α], for some α = O(n) of choice. Each node u thus has a set Su of pairs of the form (i, t) representing its neighbors. Let q be a prime such that cnα < q ≤ 2cnα, for a large enough constant c > 1, and let Fq be the field of q elements. Each node u represents Su as α functions ψSu,t :[n/α] → {0, 1} , where ψSu,t(i) = 1 ⇐⇒ (i, t) ∈ Su. Node u then extends these functions to polynomials

ΨSu,t : Fq → Fq of degree at most n/α − 1 that agree with ψSu,t on [n/α]. To make sure that an edge {u, v} is not a part of a triangle, the nodes u and v need to verify that Su ∩ Sv = ∅, which is equivalent to ΨSu,t(i) · ΨSv ,t(i) = 0 for all i ∈ [n/α] and t ∈ [α]. Node u then defines its neighbors polynomials Ψuv,t = ΨSu,t · ΨSv ,t for every v ∈ Su, and every t ∈ [α]. Let Ψ = P P Ψ . The degree of each polynomial Ψ is at most 2(n/α − 1), u t∈[α] v∈Su uv,t uv,t and thus this is also the case for the degree of Ψu. Node u is not part of a triangle if and only if Ψuv,t(i) = 0 for every t ∈ [α], i ∈ [n/α] and v ∈ Su. Since q > nα, it follows that u is not part of a triangle if and only if Ψu(i) = 0 for every i ∈ [n/α]. (For each i, we have a sum of nα values, each in {0, 1}.)

Merlin assigns to node u the certificate Φu, which is supposed to be equal to Ψu. Since n this is a polynomial of degree at most 2( α − 1), the same number of coefficients are sufficient n for representing Φu. Therefore, the certificates are of O( α log q) bits, which are actually n 2 O( α log n) bits, as q ≤ 2cnα = O(n ).

D I S C 2 0 1 9 13:10 Trade-Offs in Distributed Interactive Proofs

Each node u first verifies that Φu(i) = 0 for every i ∈ [n/α]. Then, it checks that indeed Φu = Ψu, as follows. The protocol uses the shared randomness to choose a field element

i0 ∈ Fq known to all nodes. Each node v broadcasts {ΨSv ,t(i0): t ∈ [α]} to each of its neighbors, using O(α log q) ≤ O(α log n) bits of communication. Node u then computes X X X X Ψu(i0) = Ψuv,t(i0) = ΨSu,t(i0) · ΨSv ,t(i0)

t∈[α] v∈Su t∈[α] v∈Su

and accepts only if Φu(i0) = Ψu(i0). The probability that two non-equal polynomials on Fq n n of degree at most 2( α −1) are equal at a random point i is at most 2( α −1)/q. Since q > cnα, the probability of error can be made arbitrarily small by choosing c large enough. J

I Remark. Similar trade-offs can still be obtained even if nodes have only access to distributed randomness. For instance, in two rounds, with the same notations as in the proof of Theorem 4, we can have each node u choose its own random iu ∈ Fq, and send it to all its neighbors n2 v. To get a 1-round dMA protocol, with O( α log n)-bit certificates, and O(α log n)-bit communication, Merlin sends to u a specific certificate for each edge incident to u. That is, u P gets a polynomial Φv for each v ∈ Su, which equals (allegedly) to Ψuv(i) = t∈T Ψuv,t(i) = P t∈T ΨSu,t(i) · ΨSv ,t(i) on each i ∈ Fq. In this case, v chooses iv at random locally, and

sends to u the value iv in addition to the α evaluations ΨSv ,t(iv) for all t ∈ [α]. A particular application of Theorem 4 is the existence of a Merlin-Arthur protocol with √ both space and message complexities Oe( n). This contrasts with the following lower bound.

I Proposition√ 5. Any proof-labeling scheme for triangle-freeness must have certificate size at least n/eO( log n) bits.

Proof idea. The lower bound graph construction for the broadcast-congested-clique model [9] obviously gives a lower bound to the weaker, broadcast-congest model. This lower bound is based on a lower bound for multiparty communication complexity of disjoint- ness [27], which also applies for the non-deterministic case. Finally, as noted in previous work on PLS [18, 6], a lower bound for non-deterministic communication complexity in the broadcast-congest model implies a certificate-size lower bound for PLS. J We can then conclude that, as opposed to the dMA protocol of Theorem 4, any PLS for triangle freeness must use almost-linear communication. Put differently, the trivial protocol of sending all the list of neighbors is almost optimal, even if non-determinism is used.

4 Distributed vs. Shared Randomness

In this section we compare the power of distributed interactive protocols using shared randomness (the nodes have access to a common source of random coins) with the power of protocols using distributed randomness (each node has access to a private source of random coins only) – in both cases, the outcomes of the random trials are public to Merlin.

Certifying Solutions to Optimization Problems We consider optimization problems on graphs, such as finding a minimum dominating set, or a maximum independent set, and their weighted counterparts. Similar problems where previous studied in the context of non-interactive distributed verification [11]. In such a problem π, an admissible solution is a set S of nodes satisfying a set of constraints depending P on π, and the quality of a solution S is measured by its weight w(S) = s∈S w(s) where w(s) P. Crescenzi, P. Fraigniaud, and A. Paz 13:11 is the weight of node s, given as input (where w(s) = 1 for every node s when considering only the cardinality of the solution). We assume that all weights are polynomial in the size n of the network. A set S is distributively encoded by a Boolean variable x(v) at each node v, indicating whether the node is in S or not. We consider two distributed languages:

The language Admπ is composed of all configurations (G, (w, x), id) such that x encodes an admissible solution for π in the weighted graph G (weights are assigned by w).

The language OptValπ,k, for k ≥ 0, is composed of all configurations (G, w, id) such that there exists an admissible solution for π of weight at most k (respectively, at least k) for the minimization (respectively, maximization) problem π. This framework can easily be extended to study problems whose solutions are sets of edges.

I Theorem 6. For any optimization problem π on graphs such that checking whether a given solution x is admissible can done by exchanging O(log log n) bits between neighbors, there exists a Merlin-Arthur protocol for OptValπ,k, using O(log n) bits of shared randomness, with O(log n)-bit certificates and O(log log n)-bit messages between nodes. In short, OptValπ,k ∈ dMA(log n, log log n).

Proof idea. A trivial starting point for protocols solving π is by having Merlin mark the nodes of the solution using the certificates. Computing the weight of the given solutions is a global task, and thus much harder in the distributed setting. To solve it, we aggregate the solution weight over a spanning tree. However, this still requires larger messages than desired; the crucial part in the proof is in using multi-party communication complexity protocol with a referee for the SumZero problem. Using this protocol, we can reduce the messages to their desired size. J

For the statement of Theorem 6, we assumed that all weights are polynomial in the size n of the network. If the weights are m-bit long, we can adapt the proof, and show that there exists a Merlin-Arthur protocol for OptValπ,k, using O(log(m + log n)) bits of shared randomness, with O(log n)-bit certificates and O(log n)-bit messages between nodes. In short,

OptValπ,k ∈ dMA(log n, log n) even with weights exponential in n.

Certifying Coloring and Lucky Labeling Similar arguments as the ones used to establish Theorem 6 allow us to verify specific optimization problems, for which checking that a solution is admissible is not easy. We exemplify this with the coloring problem, and its variant the lucky labeling problem [4, 8]. Checking that a given graph coloring is proper is a simple task, which can be solved by having each node broadcast its color. Here, we show that verifying a given c-coloring can be done using a dMA protocol with O(∆ log log c)-bit certificates and O(1) bits of communication in networks of maximum degree ∆. This stands in contrast to the trivial verification algorithm where the communication is of O(log c) bits. In the dMA protocol, Merlin provides every node v with the location p(v, u) of a bit where the colors of u and v differ, for each of its neighbors u. A node v then checks with each neighbor u the fact that p(v, u) = p(u, v), and at the same time sends to u the value of the corresponding bit. The Merlin step requires space O(∆ log log c). The Arthur step requires constant communication when shared randomness is available using the equality protocol.

I Lemma 7. There is a Merlin-Arthur protocol for verifying a given c-coloring using O(log log c) bits of shared randomness, certificates of size O(log log c) bits, and constant communication complexity.

D I S C 2 0 1 9 13:12 Trade-Offs in Distributed Interactive Proofs

We apply this remark to the so-called lucky labeling. Let ` : V → {1, . . . , c}, and, for P every node v of G, let S(v) = u∈N(v) `(u). The labeling ` is lucky if, for every two adjacent nodes u and v, we have S(u) 6= S(v). The lucky coloring number of a graph G, denoted by η(G), is the least positive integer c such that G has a lucky labeling ` : V → {1, . . . , c}. We refer to [4, 8] for properties of the lucky coloring number. In particular, it is conjectured that η(G) ≤ χ(G), and it is known that η(G) ≤ ∆2 − ∆ + 1, even for list lucky labeling. Verifying a given graph coloring is trivial, even without labels or interaction. To verify an upper bound on the chromatic number χ of a graph, there is a simple PLS giving each node a color. The situation with lucky labeling is much more subtle: it is impossible to verify lucky labeling in a single round (this can be easily seen by considering different labelings on a short path). There is a simple PLS for verifying a given labeling is lucky, or for bounding η from above, which gives each node v the sum S(v), and also labels for the latter case. This PLS has label size and communication of O(log ∆). Applying RPLS [15] gives σ = O(∆ log ∆) and γ = O(log log ∆), which can be reduced to γ = O(1) using shared randomness. Here, we show an MA protocol using shared randomness with σ = O(∆ log log ∆) and γ = O(log log ∆), establishing another trade-off between space and communication.

I Theorem 8. For every λ = O(n), there exists a Merlin-Arthur protocol for η(G) ≤ λ, using O(log log ∆) bits of shared randomness, with O(∆ log log ∆)-bit certificates and O(log log ∆)- bit messages between nodes. In short, lucky labeling is in dMA(∆ log log ∆, log log ∆). Proof. Merlin sends to every node v its label `(v) and the alleged sum S(v) of the labels of its neighbors. For the verification, the nodes verify that the sums S(v) constitute a proper coloring, using the protocol from Lemma 7. In addition, they use a multiparty protocol for P the SumZero problem [26, 3], in order to verify S(v) = u∼v `(u). J A similar protocol can be used for the problem of verifying that a given labeling is lucky.

A General Reduction Between Distributed and Shared Randomness Interestingly, assuming distributed randomness does not limit the power of Arthur-Merlin protocols compared to shared randomness, up to a small additive factor in the certificate size. The same holds for Merlin-Arthur protocols, but solely up to one additional interaction between Arthur and Merlin. This result is not hard to achieve using a classical spanning-tree verification technique already applied in proof labeling schemes [22]. Yet, it both generalizes and simplifies the previous results on shared vs. distributed randomness [20].

I Theorem 9. For any distributed language L, and for any number k ≥ 1 of interactions, and for any certificate size σ ≥ 0, if L ∈ dAM[k](σ, γ) (respectively, L ∈ dMA[k](σ, γ)) using ρ(n) shared random bits, then L ∈ dAM[k](σ + log n + ρ, γ + log n + ρ) (respectively, L ∈ dAM[k + 1](σ + log n + ρ, γ + log n + ρ)) with distributed randomness. Proof idea. We simulate the shared randomness protocol by using the randomness of a single node as the shared randomness. Merlin disseminates the randomness to all nodes, and a spanning tree is used to verify that the disseminated random string is the desired one. J

Lower bound for shared randomness For many verification problems, the number of random bits used by Arthur remains limited, typically ρ(n) = O(log n), which shows that, often, shared randomness does not add much power to Arthur-Merlin protocols. The next result states a lower bound on the certificate and message size in the case of Sym and Sym, when using shared randomness. P. Crescenzi, P. Fraigniaud, and A. Paz 13:13

I Theorem 10. Any Arthur-Merlin protocol for (non) symmetry must have certificate and message size Ω(log log n). In short, Sym, Sym 6∈ dAM(o(log log n), ∞) ∪ dAM(∞, o(log log n)), even using shared randomness.

Proof. In [17], a communication complexity variant of Arthur-Merlin protocols has been proposed. In this variant, Arthur consists of two parties, Alice and Bob, and the input is split between them: Alice holds x, Bob holds y, and they wish to decide whether the value of a specified function f with input x and y is equal to 1. At the beginning, Alice and Bob start by tossing some coins, then Merlin publishes a certificate, and finally Alice and Bob separately decide whether to accept (the acceptance/rejection criteria are the same as for the Arthur-Merlin protocols). The communication cost of the protocol is defined as the worst-case length of Merlin’s certificates. At the end of the paper, the authors observe that, with respect to this variant of Arthur-Merlin protocols, any such protocol for Eq and for Eq must have communication complexity Ω(log log n). We will now show that the existence of a dAM protocol with one interaction for the Sym (respectively, Sym) problem with certificate size o(log log n) would imply a two-player Arthur-Merlin protocol for Eq (respectively, Eq) with communication complexity o(log log n). The theorem thus follows.

Given two binary vectors x = (x1, . . . , xn) and y = (y1, . . . , yn), recall that Eq(x, y) = 1 if and only if xi = yi for every i with 1 ≤ i ≤ n (for the sake of simplicity, we will assume that x 6= 0 and that y =6 0, but our construction can be also adapted to the case in which x = 0 or y = 0). We now define a graph Gx,y such that Sym(Gx,y) = 1 if and only if Eq(x, y) = 1 (and, hence, Sym(Gx,y) = 1 if and only if Eq(x, y) = 1). The graph includes 6n + 2 nodes a, b, ai, bi, ui, vi, yi, and zi, for 1 ≤ i ≤ n, and the following edges (see Fig. 2):

(a, b), (a, ai), for 1 ≤ i ≤ n such that xi = 1, and (b, bi), for 1 ≤ i ≤ n such that yi = 1;

(ui, aj) and (vi, bj), for 1 ≤ i ≤ j ≤ n;

(ui, uj) and (vi, vj), for 1 ≤ i < j ≤ n, and (ui, yj) and (vi, zj), for 1 ≤ i, j ≤ n;

(yi, yi+1) and (zi, zi+1), for 1 ≤ i < n, and (y1, yn) and (z1, zn).

Clearly, if x = y, then Sym(Gx,y) = 1: indeed, we can simply map each a-node (respectively, u-node and y-node) to the corresponding b-node (respectively, v-node and z-node). On the other hand, because of the degree distribution of its nodes, any non-trivial automorphism of Gx,y has to map the u-nodes to the corresponding v-nodes: this in turn implies that, because of their neighborhoods, each a node has to be mapped to the corresponding b-node. Hence, since the mapping is an automorphism, the neighborhood of node a and node b has to be the same: that is, x = y.

y1 u1 a1 b1 v1 z1

y2 u2 a2 b2 v2 z2

...... a b . . .

yn−1 un−1 an−1 bn−1 vn−1 zn−1

yn un an bn vn zn

Figure 2 The graph used to reduce Eq (respectively, Eq) to Sym (respectively, Sym): in this case, x2 = xn = y1 = 0.

D I S C 2 0 1 9 13:14 Trade-Offs in Distributed Interactive Proofs

Let us now suppose that there exists a dAM protocol P with one interaction for the Sym (respectively, Sym) problem which uses certificates of size o(log log n). We now show how P can be used to design an Arthur-Merlin protocol for Eq (respectively, Eq) with communication complexity o(log log n) (for the sake of brevity, we will show this statement for Sym and Eq: the proof for Sym and Eq is almost identical). Given x (respectively, y), Alice (respectively, A Bob) can construct the (a, u, y)-subgraph (respectively, (b, v, z)-subgraph) of Gx,y: let Gx,y B (respectively, Gx,y) denote such subgraph. After having sent to Merlin the shared random string r, Alice and Bob waits for Merlin’s certificate which is supposed to be formed by the two certificates πa and πb that nodes a and b would have received during the execution of P with random string r. By simulating P for every possible certificate assignment to A B the nodes of Gx,y (respectively, Gx,y), Alice (respectively, Bob) can verify whether there exists an assignment that makes all the nodes of its corresponding subgraph accept: if this is the case, Alice (respectively, Bob) accepts. By definition, we have that if x = y, then, A B for any random string r there exist a certificate assignment to Gx,y (respectively, Gx,y) and a certificate for Alice and Bob which make Alice and Bob accept. On the other hand, if x 6= y, then, for at least 2/3 of all possible random strings, any certificate assignment to A B Gx,y (respectively, Gx,y) and any certificate for Alice and Bob makes Alice and Bob reject. Since the size of the certificate for Alice and Bob is twice the size of the certificate size of P, this implies that this protocol is an Arthur-Merlin protocol for Eq with communication complexity o(log log n). This contradicts the lower bound observed in [17]: we have thus proved that Sym, Sym 6∈ dAM(o(log log n), ∞). The above proof can be adapted in order to obtain a lower bound on the communication complexity of any dAM for the Sym and Sym problems. Indeed, instead of asking Merlin for the certificates of the nodes a and b, Alice and Bob ask Merlin for the message transmitted on the edge (a, b). They then try to find a certificate assignment that suits this message. Hence, we have also shown that Sym, Sym 6∈ dAM(∞, o(log log n)) and the theorem follows. J

A result similar to previous theorem was proved in [20] in an ad-hoc manner, but only for the Sym problem and with respect to space complexity. The authors have recently reported to improve the lower bound from log log n to log n [24].

5 Interactions vs. Space and Communication

In this section, we explore the power given to interactive protocols by allowing many interac- tions between Merlin and Arthur, in terms of both space and communication complexity.

Reducing the number of interactions

The following general result allows us to reduce the number of interactions between Arthur and Merlin, at the cost of increasing the certificate size and the communication cost of the protocol.

2 I Theorem 11. For any two functions σ and γ, dMAM(σ, γ) ⊆ dAM(nσ , nσγ).

Proof idea. We modify a dMAM protocol, so that Merlin gives all the certificates at the end, instead of at interactions 1 and 3. This results in a very low success probability, so we repeat the new protocol for nσ times in parallel, and accept only if all occurrences are accepting. J

2 I Corollary 12. For any two functions σ and γ, dAMAM(σ, γ) ⊆ dAM(nσ , nσγ). P. Crescenzi, P. Fraigniaud, and A. Paz 13:15

As a direct application of Theorem 11, we have that Sym admits a dAM protocol with one interaction and certificate size O(n log2 n). This is a consequence of the theorem and of the existence of a dAM protocol with two interactions [20]. It is worth noting that this consequence of our general reduction result is only a log factor away from the “ad-hoc” result of [20] which establishes the existence of a dAM protocol with one interaction and certificate size O(n log n). Corollary 12 can be applied to a more recent result[24], which establishes the existence of a dAM protocol with three interactions and certificate size O(log n) for the non-isomorphism graph problem, in the case in which the nodes can communicate on both graphs. As a consequence of the corollary, we have that this problem admits a dAM protocol with one interaction and certificate size O(n log2 n). As far as we know, this is the first dAM protocol with one interaction for this version of the non-isomorphism graph problem An interesting open question is whether such a protocol can exist also for the problem in which nodes can communicate only on one graph, while the other graph is locally given as input to the nodes themselves. For this latter problem, a dAM protocol with one interaction and certificate size O(n log n) was given [20], as well as an dAM protocol with a constant number of interactions and certificate size O(log n) [24]. Observe that the two applications of Theorem 11 and of Corollary 12 are obtained at the cost of an increase of the communication complexity by a factor Oe(n). We do not know if this linear increase of communication complexity can be avoided in general.

The Arthur-Merlin Hierarchy

We analyze the power of the Arthur-Merlin hierarchy. Recall that, for any σ ≥ 0 and γ ≥ 0, S dAMH(σ, γ) = k≥0 dAM[k](σ, γ). We show that increasing the number of interactions cannot help much for reducing the certificate size to o(n), even for languages defined on a very simple subclass of regular graphs, with 1-bit inputs, and admitting a locally checkable proof with O(n)-bit certificates.

I Theorem 13. There exists a distributed language L on cycles, with 1-bit inputs, admitting a locally checkable proof with O(n)-bit certificates, and O(n)-bit messages, that is outside the Arthur-Merlin hierarchy with o(n)-bit certificates, even with messages of unbounded size, and even if the verifier performs an arbitrarily large constant number of rounds, whenever Arthur generates ρ(n) = o(n) random bits at each node for each interaction with Merlin. In short, there exists a distributed language L on regular graphs satisfying L ∈ Σ1LD(O(n),O(n)) \ dAMH(o(n), ∞).

Proof idea. The main argument of the proof is that the number of transcripts of Arthur- Merlin protocol with o(n)-bit certificates, o(n)-bit random strings, and k = O(1) interactions, is smaller than the number of distributed languages on n-node graphs, even with 1-bit input labels, and even on the ring. On the other hand, with Θ(n)-bit certificates, all such languages can be decided by a locally checkable proof on the ring. J

We complete this section by showing that, in contrast to the previous theorem, every distributed language on regular graphs with O(1)-bit inputs has a locally checkable proof with O(n)-bit certificates, and a 2-round verifier.

I Theorem 14. Every distributed language on d-regular graphs with O(1)-bit input labels belongs to Σ1LD(Oe(n),O(dn)), with a verifier performing two rounds.

D I S C 2 0 1 9 13:16 Trade-Offs in Distributed Interactive Proofs

Proof idea. To prove such a general claim, one must allow each node to study the structure and inputs of the whole graph. To this end, we apply the probabilistic method and show that there is a “balanced” assignment of information to the nodes, such that each node can use the information in its 1-neighborhood in order to reconstruct the entire graph structure. J

Since Σ1LD ⊆ dAM ∩ dMA, an immediate corollary of this theorem is that every dis- tributed language on d-regular graphs with O(1)-bit inputs belongs to dAM(Oe(n),O(dn)). Using a known RPLS protocol [15], we can also show that each such language belongs to dMA(Oe(dn),O(log n)).

References 1 Scott Aaronson and Avi Wigderson. Algebrization: A New Barrier in Complexity Theory. TOCT, 1(1):2:1–2:54, 2009. doi:10.1145/1490270.1490272. 2 Amir Abboud, Aviad Rubinstein, and R. Ryan Williams. Distributed PCP Theorems for Hardness of Approximation in P. In 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, pages 25–36, 2017. doi:10.1109/FOCS.2017.12. 3 Daniel Apon, Jonathan Katz, and Alex J. Malozemoff. One-round multi-party communication complexity of distinguishing sums. Theor. Comput. Sci., 501:101–108, 2013. doi:10.1016/j. tcs.2013.07.026. 4 Maria Axenovich, Jochen Harant, Jakub Przybylo, Roman Soták, Margit Voigt, and Jenny Weidelich. A note on adjacent vertex distinguishing colorings of graphs. Discrete Applied Mathematics, 205:1–7, 2016. doi:10.1016/j.dam.2015.12.005. 5 Alkida Balliu, Gianlorenzo D’Angelo, Pierre Fraigniaud, and Dennis Olivetti. What can be verified locally? J. Comput. Syst. Sci., 97:106–120, 2018. doi:10.1016/j.jcss.2018.05.004. 6 Keren Censor-Hillel, Ami Paz, and Mor Perry. Approximate Proof-Labeling Schemes. In Structural Information and Communication Complexity - 24th International Colloquium, SIROCCO, pages 71–89, 2017. doi:10.1007/978-3-319-72050-0_5. 7 Yi-Jun Chang, Seth Pettie, and Hengjie Zhang. Distributed Triangle Detection via Expander Decomposition. In Proceedings of the Thirtieth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA, pages 821–840, 2019. doi:10.1137/1.9781611975482.51. 8 Sebastian Czerwinski, Jaroslaw Grytczuk, and Wiktor Zelazny. Lucky labelings of graphs. Inf. Process. Lett., 109(18):1078–1081, 2009. doi:10.1016/j.ipl.2009.05.011. 9 Andrew Drucker, Fabian Kuhn, and Rotem Oshman. On the power of the congested clique model. In ACM Symposium on Principles of Distributed Computing, PODC, pages 367–376, 2014. doi:10.1145/2611462.2611493. 10 Laurent Feuilloley and Pierre Fraigniaud. Survey of Distributed Decision. Bulletin of the EATCS, 119, 2016. URL: http://eatcs.org/beatcs/index.php/beatcs/article/view/411. 11 Laurent Feuilloley, Pierre Fraigniaud, and Juho Hirvonen. A Hierarchy of Local Decision. In 43rd International Colloquium on Automata, Languages, and Programming, ICALP, pages 118:1–118:15, 2016. doi:10.4230/LIPIcs.ICALP.2016.118. 12 Laurent Feuilloley, Pierre Fraigniaud, Juho Hirvonen, Ami Paz, and Mor Perry. Redundancy in Distributed Proofs. In 32nd International Symposium on Distributed Computing, DISC, pages 24:1–24:18, 2018. doi:10.4230/LIPIcs.DISC.2018.24. 13 Pierre Fraigniaud, Mika Göös, Amos Korman, Merav Parter, and David Peleg. Ran- domized distributed decision. Distributed Computing, 27(6):419–434, 2014. doi:10.1007/ s00446-014-0211-x. 14 Pierre Fraigniaud, Amos Korman, and David Peleg. Towards a complexity theory for local distributed computing. J. ACM, 60(5):35:1–35:26, 2013. doi:10.1145/2499228. 15 Pierre Fraigniaud, Boaz Patt-Shamir, and Mor Perry. Randomized proof-labeling schemes. Distributed Computing, 32(3):217–234, 2019. P. Crescenzi, P. Fraigniaud, and A. Paz 13:17

16 John Gill. Computational Complexity of Probabilistic Turing Machines. SIAM J. Comput., 6(4):675–695, 1977. doi:10.1137/0206049. 17 Mika Göös, Toniann Pitassi, and Thomas Watson. Zero-Information Protocols and Un- ambiguity in Arthur-Merlin Communication. Algorithmica, 76(3):684–719, 2016. doi: 10.1007/s00453-015-0104-9. 18 Mika Göös and Jukka Suomela. Locally Checkable Proofs in Distributed Computing. Theory of Computing, 12(1):1–33, 2016. doi:10.4086/toc.2016.v012a019. 19 Karthik C. S., Bundit Laekhanukit, and Pasin Manurangsi. On the parameterized complexity of approximating dominating set. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC, pages 1283–1296, 2018. doi:10.1145/3188745.3188896. 20 Gillat Kol, Rotem Oshman, and Raghuvansh R. Saxena. Interactive Distributed Proofs. In Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing, PODC, pages 255–264, 2018. URL: https://dl.acm.org/citation.cfm?id=3212771. 21 Amos Korman and Shay Kutten. Distributed verification of minimum spanning trees. Dis- tributed Computing, 20(4):253–266, 2007. doi:10.1007/s00446-007-0025-1. 22 Amos Korman, Shay Kutten, and David Peleg. Proof labeling schemes. Distributed Computing, 22(4):215–233, 2010. doi:10.1007/s00446-010-0095-3. 23 Eyal Kushilevitz and Noam Nisan. Communication complexity. Cambridge University Press, 1997. 24 Moni Naor, Merav Parter, and Eylon Yogev. The Power of Distributed Verifiers in Interactive Proofs. CoRR, abs/1812.10917, 2018. arXiv:1812.10917. 25 Moni Naor and Larry J. Stockmeyer. What Can be Computed Locally? SIAM J. Comput., 24(6):1259–1277, 1995. doi:10.1137/S0097539793254571. 26 Noam Nisan. The communication complexity of threshold gates. In Combinatorics, Paul Erdos is Eighty, volume 1, pages 301–315, 1993. 27 Anup Rao and Amir Yehudayoff. Simplified Lower Bounds on the Multiparty Communication Complexity of Disjointness. In 30th Conference on Computational Complexity, CCC, pages 88–101, 2015. doi:10.4230/LIPIcs.CCC.2015.88. 28 Larry J. Stockmeyer. The Polynomial-Time Hierarchy. Theor. Comput. Sci., 3(1):1–22, 1976. doi:10.1016/0304-3975(76)90061-X.

D I S C 2 0 1 9